{{- $enabledNamespaces := .Values.operatorTrivy | dig "internal" "enabledNamespaces" (list) }}

{{- if .Values.operatorTrivy.linkCVEtoBDU }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: operator-trivy-report-updater
  {{- include "helm_lib_module_labels" (list . (dict "app" "report-updater")) | nindent 2 }}
webhooks:
- name: mutating-webhook.report-updater.deckhouse.io
  namespaceSelector:
    matchExpressions:
      - key: "kubernetes.io/metadata.name"
        operator: "In"
        values: {{ gt (len $enabledNamespaces) 0 | ternary $enabledNamespaces (list "default") | toYaml | nindent 10 }}
  rules:
  - apiGroups:   ["aquasecurity.github.io"]
    apiVersions: ["v1alpha1"]
    operations:  ["CREATE", "UPDATE"]
    resources:   ["vulnerabilityreports"]
    scope:       "Namespaced"
  clientConfig:
    service:
      namespace: d8-{{ .Chart.Name }}
      name: report-updater
      path: "/mutate-vulnerability-report"
      port: 40443
    caBundle: {{ .Values.operatorTrivy.internal.reportUpdater.webhookCertificate.ca | b64enc }}
  admissionReviewVersions: ["v1"]
  sideEffects: None
  failurePolicy: Ignore
  timeoutSeconds: 5
{{- end }}
